GET v2.0/tenants authority vs GET v3/projects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Using the default setup with devstack, a non-administrator can get tenants using v2.0 API, but using the V3 API to get projects, it fails saying I don't have authority. It's the same data, so non-administrators should either have access to it or not have access to it via any api.
To recreate:
0) start with devstack.
1) Get a demo user token:
$ keystone tenant-get demo
...
| id | 0f434bbbfabc461
$ DEMO_TENANT_ID= 0f434bbbfabc461
$ curl -i \
-H "Content-Type: application/json" \
-d '{"auth"
http://
$ DEMO_TOKEN=...
2) Get tenants using the v2 API:
$ curl -H "X-Auth-Token: $DEMO_TOKEN" http://
{"tenants_links": [], "tenants": [{"description": null, "enabled": true, "id": "0f434bbbfabc46
3) Now try to get tenants/projects using the v3 API:
$ curl -H "X-Auth-Token: $DEMO_TOKEN" http://
{"error": {"message": "You are not authorized to perform the requested action: identity:
Keystone should be consistent about either denying or allowing tenant/project data to non-administrators.
No, it's not the same data and you probably shouldn't have authz there for this use case. By design, v3 is intending to correct a very strange behavior in the v2 API. That is, the following call is used by users to list tenants to which they have access:
http:// identity: 5000/v2. 0/tenants
Administrators would use the following endpoint to list all tenants in the system:
http:// identity: 5000/v2. 0/tenants
Note that the only different between the above two calls is the port used. This is the only difference I'm aware of between the two v2 endpoints.
In v3, users list the "projects" to which they have access by calling:
http:// identity: 35357/v3/ users/{my_user_ id}/projects
And the domains to which they have access by calling:
http:// identity: 35357/v3/ users/{my_user_ id}/domains
This frees up the following two root collections to actually list all resources in the system, as expected:
http:// identity: 35357/v3/ domains identity: 35357/v3/ projects
http://
Also note that there are no behavioral differences on /v3/ between :5000 and :35357 as a result of this design change.